Skip to main content

PaperCut MF CVE-2026-6180

| EUVDEUVD-2026-27231 MEDIUM
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-05-05 PaperCut GHSA-hqg4-rx24-2464
4.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.1 MEDIUM
CVSS:4.0/AV:P/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:P/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 05, 2026 - 08:01 EUVD
Analysis Generated
May 05, 2026 - 07:30 vuln.today
CVSS changed
May 05, 2026 - 07:22 NVD
4.1 (MEDIUM)

DescriptionCVE.org

A race condition exists in PaperCut MF when processing badge-swipe data from certain HP multifunction devices. Under specific network conditions involving dropped packets and out-of-order sequence counters, the server may incorrectly process fragmented data chunks. If a sequence reset notification fails to reach the server, the server may reject the initial data chunk while erroneously accepting subsequent chunks before a connection reset completes.

This leads to the registration of a truncated badge ID string. While this typically results in an authentication failure, the vulnerability is compounded in environments utilizing custom badge-ID post-processing scripts. In such configurations, the truncated string may be transformed into a valid ID belonging to a different user, leading to unauthorized session establishment (Incorrect User Login) on the device.

AnalysisAI

Race condition in PaperCut MF badge-swipe processing from HP multifunction devices allows unauthorized user login when custom badge-ID post-processing scripts transform truncated badge strings into valid credentials of different users. The vulnerability requires specific network conditions (dropped packets, out-of-order sequence counters, failed sequence reset notifications) and custom script configuration, affecting physical device authentication in networked printing environments. No public exploit identified at time of analysis.

Technical ContextAI

PaperCut MF integrates with HP multifunction devices via badge-swipe authentication protocols that transmit fragmented data chunks with sequence counters. The root cause (CWE-367: Race Condition) occurs in the server-side reassembly logic when sequence reset notifications fail to reach the server during out-of-order packet delivery. The server rejects the initial chunk while accepting subsequent chunks before connection reset completes, resulting in truncated badge ID registration. Environments running custom badge-ID post-processing scripts introduce a secondary transformation step that can convert truncated strings into valid user identifiers through string manipulation or lookup logic, bypassing the intended authentication mechanism.

RemediationAI

Consult PaperCut security bulletin (https://www.papercut.com/kb/Main/papercut-ng-mf-and-papercut-hive-security-bulletin-may-2026/) for vendor-released patch version and deployment timeline. As interim mitigations: disable custom badge-ID post-processing scripts if operationally feasible (tradeoff: loss of custom badge transformation logic); implement network reliability measures to reduce dropped packets and out-of-order delivery (QoS, wired connectivity over wireless, redundant network paths); monitor badge authentication logs for truncated or anomalous badge ID registrations and failed authentications; implement additional authentication factors (PIN, LDAP verification) on MFD devices to prevent unauthorized login even if badge processing is compromised; segment badge-swipe devices onto isolated network subnets with stricter ACLs to reduce network instability. High-confidence remediation requires vendor patch confirmation and testing in custom script environments.

More in HP

View all
CVE-2017-3881 CRITICAL POC
9.8 Mar 17

A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software co

CVE-2013-4810 CRITICAL POC
9.8 Sep 16

HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle

CVE-2014-2623 CRITICAL POC
10.0 Jul 18

Unspecified vulnerability in HP Storage Data Protector 8.x allows remote attackers to execute arbitrary code via unknown

CVE-2013-6221 CRITICAL POC
10.0 Jun 18

Directory traversal vulnerability in CommunicationServlet in HP Service Virtualization 3.x before 3.50.1, when the AutoP

CVE-2013-2367 CRITICAL POC
10.0 Jul 31

Multiple unspecified vulnerabilities in HP SiteScope 11.20 and 11.21, when SOAP is used, allow remote attackers to execu

CVE-2013-4811 CRITICAL POC
10.0 Sep 16

UpdateDomainControllerServlet in the SNAC registration server in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4

CVE-2013-4798 CRITICAL POC
10.0 Jul 29

Unspecified vulnerability in HP LoadRunner before 11.52 allows remote attackers to execute arbitrary code via unknown ve

CVE-2012-2020 CRITICAL POC
10.0 Jul 11

Unspecified vulnerability in HP Operations Agent before 11.03.12 allows remote attackers to execute arbitrary code via u

CVE-2013-2333 CRITICAL POC
10.0 Jun 06

Unspecified vulnerability in HP Storage Data Protector 6.20, 6.21, 7.00, and 7.01 allows remote attackers to execute arb

CVE-2014-2624 CRITICAL POC
10.0 Sep 11

Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x, 9.1x, and 9.2x allows remote attackers to execute ar

CVE-2013-6194 CRITICAL POC
10.0 Jan 04

Unspecified vulnerability in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary code or cause a

CVE-2013-2347 CRITICAL POC
10.0 Jan 04

The Backup Client Service (OmniInet.exe) in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary

Share

CVE-2026-6180 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy